The Danish Data Protection Agency (Datatilsynet) has recently mandated a directive concerning transferring student data to Google via Google Workspace services and Chromebooks being used in schools across Denmark.
The issue is not new, however. About four years ago, Jesper Graugaard made the agency aware of its existence, voicing his concerns that student data is indiscriminately sent to Google without concern for potential repercussions or possible mishandling.
After thorough consideration, the agency ruled that transferring personal data to Google in its current form has no legal basis for all stated purposes, leading multiple Danish precincts to change how they process and share data.
As part of the recent modifications, local authorities are instructed to:
Datatilsynet further elaborated that the company may use student data to provide educational services as part of the Google Workspace platform, enhance the reliability and security of the services, fulfill legal obligations and facilitate communication.
The agency decided that purposes like performance measurements, new feature development, as well as maintaining and improving products such as ChromeOS, the Chrome browser, and Google Workspace for Education fall under non-permissible cases.
While Datatilsynet doesn’t necessarily ban Google services and products from schools across the country, the agency’s decision may hamper the company’s collection of personal data.
On the other hand, it may prove daunting for local authorities to prove they’re compliant with Datatilsynet’s decision without relinquishing access to Google services such as the Workspace or Chromebooks.
Municipalities must explicitly declare how they intend to adhere to the new regulations by March 1 and adjust their data processing practices accordingly until Aug 1.